Nasty Security Flaw In OAuth, OpenID

jones_supa writes: "A notable security vulnerability has been discovered which impacts both OAuth and OpenID, which are software packages that provide a secure delegated access to websites. Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the 'Covert Redirect' flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter. For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication. If a user chooses to authorize the login, personal data will be released to the attacker instead of to the legitimate website. Wang did already warn a handful of tech giants about the vulnerability, but they mostly dodged the issue. In all honesty, it is not trivial to fix, and any effective remedies would negatively impact the user experience. Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google, and be aware of this redirection attack."

OT: Slashdot Beta on the rise again

Warning: I'm getting bounced more frequently to the Beta site once again; Dice may be having another go at trying to roll it out. Be warned.

I wonder what percentage of Slashdot visitors are immediately switching back to Slashdot Classic by using the link at the bottom of the page ?

If you don't like Slashdot Beta, then don't live with it. Use the link at the bottom of the page to go back to Slashdot Classic and send a _huge_ message to Dice at the same time when they come to look at their website logs.

If you like this idea, feel free to repost this message in other stories and help send a message to Dice they cannot ignore.